HIGH 8.3

CVE-2026-42941: MacGregor Voyage Data Recorder Default Credentials Authentication Bypass

Danelec MacGregor's Voyage Data Recorder (VDR) devices ship with hardcoded default credentials that cannot be forced to change, allowing unauthenticated network attackers to gain administrative access. This is a straightforward but high-impact authentication bypass on a maritime safety-critical system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Weaknesses (CWE)
CWE-1392
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42941 affects the MacGregor Interschalt VDR G4E and its firmware. The vulnerability stems from default username and password credentials (CWE-1392: Default Credentials in Configuration) that are embedded in the device with no mandatory password change mechanism enforced during initialization or operation. An attacker with network access to the device can authenticate using these defaults, bypassing all authentication controls and gaining full administrative privileges. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) reflects high confidentiality and integrity impact with low availability impact, and requires adjacent network access rather than the internet at large.

Business impact

VDRs are mandated safety and compliance systems on commercial vessels, recording bridge operations, navigation decisions, and critical events. Compromise via default credentials could allow unauthorized modification of voyage records, tampering with evidence in accident investigations, disruption of safety-critical operations, or exfiltration of sensitive vessel routing and operational data. For operators, this creates regulatory liability under SOLAS and Flag State requirements, plus potential reputational and legal exposure if records are altered or incidents occur while systems are compromised.

Affected systems

MacGregor Interschalt VDR G4E devices and associated firmware versions are affected. Verify exact firmware versions against the vendor advisory, as the available data does not specify a lower or upper bound. Any VDR G4E deployed on active vessels using the default credentials remains vulnerable unless mitigated.

Exploitability

Exploitation is trivial once network access to the device is achieved. No user interaction, special tools, or complex attack chains are required—an attacker simply needs to know or discover the default credentials and connect to the device's management interface. However, the requirement for adjacent network access (not internet-facing by default) somewhat limits opportunistic mass exploitation, though network segmentation failures or compromised onboard networks could expose the device.

Remediation

Immediately change all default credentials to strong, unique passwords. Verify that new credentials cannot be reset to defaults without physical device access or authenticated console intervention. Apply any firmware updates released by MacGregor that enforce mandatory password changes or remove default credentials entirely. Restrict network access to the VDR management interface using firewall rules or network segmentation; the device should not be accessible from guest networks, crew personal devices, or unsecured shipboard systems.

Patch guidance

Check MacGregor's advisory for specific firmware version patches. Apply patches to all deployed VDR G4E units in your fleet during scheduled maintenance windows. Verify patch installation by confirming that default credentials are no longer valid and that password change policies are enforced. Test in a controlled environment before fleet-wide deployment, as VDRs are safety-critical and must remain operational during updates.

Detection guidance

Monitor for login attempts to VDR management interfaces using default credentials or unusual authentication patterns. Enable detailed logging on the VDR if available. Network-based detection can identify attempts to connect to VDR ports (typically SSH or HTTP/HTTPS) and attempt default credential use. Verify through periodic credential audits that no default accounts remain active. Host-based checks on onboard networks can scan for VDR services and test credential validity in controlled, authorized assessments.

Why prioritize this

This vulnerability warrants urgent remediation due to: (1) trivial exploitability with no prerequisites; (2) full administrative compromise via authentication bypass; (3) high confidentiality and integrity impact on safety-critical maritime systems; (4) regulatory compliance implications (SOLAS, Flag State audits); (5) potential for evidence tampering in accident investigations. Although not yet in CISA's KEV catalog, the attack surface and impact justify immediate action regardless of real-world exploit activity.

Risk score, explained

CVSS 8.3 (HIGH) reflects the combination of adjacent network access (moderating from internet-wide attack surface) but requiring zero complexity and no privileges, combined with high confidentiality and integrity impact. The score appropriately captures a complete authentication bypass on a critical control plane. Business context—maritime safety regulations and the immutability demands of voyage records—elevates operational risk beyond the numeric score.

Frequently asked questions

Do we need to patch this immediately, or can it wait for scheduled maintenance?

Given the trivial exploitation and full administrative access, remediation should not wait. Change default credentials immediately as an emergency interim step, then schedule and execute firmware patches during the next available maintenance window. Do not defer credentialing changes.

If our VDR is on a closed vessel network with no external internet access, are we still at risk?

Yes. Internal network compromise (via compromised crew devices, maintenance access, or supply-chain incidents) could expose the VDR to local attack. Additionally, shore-based management systems or crew WiFi that connect to the VDR may create paths for remote exploitation. Network isolation alone is insufficient; credentialing remediation is mandatory.

Will changing credentials on one VDR unit affect others in our fleet?

Each VDR should be managed independently. Change credentials on each device separately. Do not reuse the same credentials across multiple VDRs, as compromise of one device would compromise all others.

What should we do if we cannot immediately update firmware?

As an interim control, change all default credentials to strong, unique passwords on each affected VDR, document the new credentials securely, and restrict network access to the device using firewall rules or network segmentation. This eliminates the immediate attack surface while you prepare for firmware updates. However, this is a stopgap—plan firmware patches on a priority timeline.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of vendor advisory details, patch version specifics, or deployment timelines—operators must verify all technical details, patch availability, and applicability directly with MacGregor and their Flag State maritime authority. Regulatory compliance obligations vary by jurisdiction and vessel classification; consult your Flag State and maritime classification society for mandated remediation timelines. Testing of detection or mitigation strategies on production VDR systems should be performed only with proper authorization and in consultation with safety and compliance teams, as VDRs are safety-critical systems subject to stringent operational requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).